Uber CEO says company failed to disclose massive breach in 2016

A photo illustration shows the Uber app on a mobile telephone, as it is held up for a posed photograph, in London

A photo illustration shows the Uber app on a mobile telephone, as it is held up for a posed photograph, in London, Britain November 10, 2017. REUTERS/Simon Dawson

By Jim Finkle

(Reuters) - Uber Technologies Inc failed to disclose a massive breach last year that exposed the data of some 57 million users of the ride-sharing service, the company's new chief executive officer said on Tuesday.

Discovery of the company's handling of the incident led to the departure of two employees who led Uber's response to the incident, said Dara Khosrowshahi, who was named CEO in August following the departure of founder Travis Kalanick.

Khosrowshahi said he had only recently learned of the matter himself.

The company's admission that it failed to disclose the breach comes as Uber seeks to recover from a series of crises that culminated in the Kalanick's ouster in June.

"None of this should have happened, and I will not make excuses for it," Khosrowshahi said in a blog post.

According to the company's account, two individuals downloaded data from a web-based server at another company that provided Uber with cloud-computing services.

The data contained names, email addresses and mobile phone numbers of some 57 million Uber users around the world. The hackers also downloaded names and driver’s licence numbers of some 600,000 of the company's U.S. drivers, Khosrowshahi said in a blog post.

Bloomberg News reported that Uber's chief security officer Joe Sullivan and a deputy had been ousted from the company this week because of their role in the handling of the incident. The company paid hackers $100,000 to delete the stolen data, according to Bloomberg.

Though such payoffs are rarely discussed in public, U.S. Federal Bureau of Investigation officials and private security companies have told Reuters in the past year that an increasing number of companies have made payments to criminal hackers who have turned to extortion.

None have previously come to light that aimed to suppress breaches that would have required public disclosure, such as those involving protected personal information.

Sullivan did not immediately return messages seeking comment.

Sullivan, formerly the top security official at Facebook Inc <FB.O>, is a former federal prosecutor and one of the most admired security executives in Silicon Valley.

Kalanick learned of the breach a month after it took place, in November 2016, as the company was in negotiations with the U.S. Federal Trade Commission over the handling of consumer data, according to Bloomberg.

Uber representatives did not respond when asked to comment on the Bloomberg report.

Khosrowshahi said he had hired Matt Olsen, former general counsel of the U.S. National Security Agency, to help him figure out how to best guide and structure the company's security teams and processes.

"While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes," he said. "We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."

(Reporting by Jim Finkle in Toronto; Additional reporting by Joseph Menn in San Francisco; Editing by Tom Brown)